[Samba] Rights issue on GPO

L.P.H. van Belle belle at bazuin.nl
Mon Jun 27 13:13:35 UTC 2016

> Two things Louis:
> if you look very closely at the differences in the 'ERROR' message, you
> will find the only difference is this:
> against the expected:
> The returned ACL is owned by the 'Local Admins', but it should be owned
> by 'Domain Admins'. As far as I can see, windows doesn't really care who
> owns an object, as long as the ACEs are correct and they are!
> Secondly, more than happy to try adding a GPO, only problem is, I have
> never really added one, can you point me at a good howto ?
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hai Rowland, 

I just checked on a windows 2008 R2 server. 

Sysvol security rights should be. 

DOMAIN\Server Operators
Creator Owner
Authenticated Users
DOMAIN\Administrators	 contains : 
"Domain Admins",Adminstrator and "Enterprise Admins"  

And the "DOMAIN\Adminstrators" is in the Buildin OU. 

And same for "DOMAIN\Users"  contains: 
Authenticated Users, Domain Users, INTERACTIVE) 

So imo this is a bug as Achim told. 
Alle local security groups must map correctly. 
And but must try to not mix BUILDIN\localgroup and DOMAIN\localgroup 

So imo, if samba is uses as standalone server all Security groups map to BUILDIN\localgroups. 

And when its a domain AD DC server. 
BUILDIN maps to OU=Buildin and here are the correct groups like DOMAIN\localgroups



More information about the samba mailing list